Security researcher Arul Kumar was paid $12,500 by Facebook, after discovering and reporting a bug that would allow any user to delete the photos of other Facebook users, simply by changing parameters in a URL.
The severity of the security flaw apparently induced Facebook to pay Kumar far more than the base bounty of $500 for bugs reported through the website’s white hat security program.
The flaw resided in Facebook’s Support Dashboard. If Facebook refused to remove an image that an attacker claimed to find offensive, the attacker would be given the option of sending a request for deletion to the owner of the picture.
A link would be sent to the owner of the picture, with the option of deleting it. However, before sending off the delete request, Kumar discovered that it was possible to alter some information in the URL in order to get a delete link sent to any user at all – including an alternate account owned by the attacker.
Facebook thanked Kumar for his work, and reported that a fix would be online by the next day. Kumar claims to have been later awarded with $12,500 USD.
The story follows a recent incident, in which security researcher Khalil Shreateh – who had been unsuccessful in securing Facebook’s attention to his own discovery – hacked the account of Facebook founder Mark Zuckerberg, and posted an apology on his wall.
In the latter event, despite the severity of the situation, Facebook refused to bestow a reward on Shreateh, since he had violated the website’s terms of service.
In this situation, as in the latter, the flaw was demonstrated using Mark Zuckerberg’s own account. However, Kumar did not actually delete any information from Zuckerberg’s profile, getting only as far as the “delete” button before stopping the procedure.
It is disturbing to think that an exploit as simple and devastating as the one Kumar discovered could have been sitting, unnoticed on the website for the past few years. However the discovery, and the reward which Facebook paid for the discovery, goes to show to effectiveness of the white hat bounty system.
As always, it is far better for a security researcher to find a flaw before a malicious hacker does.